They forgot the masterpiece I saw years ago:<p>1. Give all your Python class members a tedious naming convention.<p>2. Be DRY by writing helper functions that do name lookup based on a string of the last half of the member name.<p>3. Be even more DRY by having the function guess a little if the match isn’t exact<p>You now have an application where you cannot search for where members are referenced.
My first job out of college, my boss and I took over some code that was written by two genius PhDs (one math, one physics - we were working in finance.)<p>I noticed a variable (long word starting with z) used in a lot of places. Turns out it was the German word for "counter".<p>It was my first hint that most of the backend codebase was written as a competition between the two of them to seem the smartest.<p>On the front-end, I remember opening some many thousand line long file trying to figure it out. I scrolled pages and pages to the top of the file looking for a comment. I found one. The comment:<p>/* What is this shit? */<p>Written by someone who tried to help those guys.
This is the way it seems to go in the public sector, at least here in Norway.<p>1. Get an n year government contract for some huge public IT overhaul. E.g building a new hospital journal system for a large region(this example is real, google "helseplatformen")<p>2. Spend years developing this huge proprietary .net monolith with a waterfall model, and minimal user interaction and testing during most of the contract.<p>3. Release an MVP by the end of the contract that's barely suited for the task(inevitable due to inherently broken dev model) and causes a huge amount of problems<p>4. Get another n year contract to fix the thing<p>5. Print money.
The section on naming is amateur. Names like `fred` or 'asdf' are too obviously meaningless and wouldn't even pass a code review.<p>You want names that <i>do</i> describe your code but <i>badly</i>. If your function reads policies from the DB, filters them and calculates some missing data, be sure to name the function 'readPolicies'. Nobody will look at that function when chasing a bug related to the filtering part!<p>You may want to spread it across a few changes to get plausible deniability. You may also "fix" the name by changing it to something hopelessly generic like `initializeState`.
Heh. The author forgot the most important one:<p>Use micro-services! The more the better! And write each micro-service using a different programming language and build system. Make sure the protocols are not documented. And that the micro-services are called p376, f190 etc. Make sure that some micro-services need to access a specific server setup to build!
I just reworked some java code that is deployed INSIDE an oracle database. You can load java classes into oracle and use them like functions.<p>So I would say: find the most obscure place you can deploy code, and make sure it is not testable.
> Hungarian Notation is the tactical nuclear weapon of source code obfuscation techniques; use it! Due to the sheer volume of source code contaminated by this idiom nothing can kill a maintenance engineer faster than a well planned Hungarian Notation attack. The following tips will help you corrupt the original intent of Hungarian Notation:<p>I can't stop laughing.
Worked with some guys like this, probably doing it intentionally. One guy liked single-letter vars & derivatives thereof. For example all the following might appear in the same 100 lines of code: a, aa, a_, aa_, aa__, A, AA, A_, AA_.<p>Often these were crazy code forking paths like:<p>* a is a 1 liner which calls a_ or aa depending on a conditional.<p>* a_ then returns something or calls a__ depending on a conditional.<p>* aa calls aa_ or aa__ depending..<p>* A, AA, A_ and AA__ might be some global states or boolean flags or cmdline args or env vars read in which effect all the above..<p>Another favorite was to use the same noun in different cases for different types of things. For example:<p>* servers - a function you call which returns a list of servers<p>* servers_ - a subfunction called by servers<p>* SERVERS - a boolean global variable switch to enable functionality<p>* Servers - a variable containing the list of servers used by all of the above<p>I once asked him to explain the differences and there was no consistency. Sometimes all-caps was the function, sometimes all-caps was the boolean, sometimes lowercase, whatever.<p>The best was clearly someone forced him to put in comments under duress.<p>However he ONLY commented the obvious stuff, like-<p>getCmdline # gets the cmdline
Extra points: leave old and outdated documentation and scripts in the repository. New documentation should go to a wiki that is not referenced in code and does not track versions. Different parts of the wiki should apply to different code versions.
My favorite is when the codebase is so deeply buried in macros and headers that send you on a wild goose chase to find any actual code that it becomes much easier to just dump the binary in ida/binja. The source code can lie but at least the compiled binary directly does what it says
One of my favorite tricks is to combine functions that get called recursively (ideally four-five calls before you get back to the first one in the circle) with objects that are gradually unpacked such that their identically named member functions do subtly different things.
> If you call your variables a, b, c, then it will be impossible to search for instances of them using a simple text editor.<p>My friends, it’s time we all learn regex. You’ve heard it’s unknowable, but a simple \b on either side of your target search is your friend too! It just means “there isn’t an alphanumeric character next to me!” It wants to get to know you! If you can’t search for a variable named a, it wants to help!
It's a fun read, but it is pretty much impossible unless you're running a one-man show, with zero oversight or checks at place.<p>Code like that should set off alarms very fast, and any code review should catch it early on.
This "how to" guide describes, quite literally, a project I used to be on. I ran down the list and just went "Check. Check. Check. _pause_ Yeah, check. Check. Check."
Inherited one project where the previous developer enjoyed writing if cases like this<p><pre><code> if (article > 0)
</code></pre>
confusing early on becuase you would start thinking this is a beginning of arithmetic comparison of numbers when it actually was just a check if the article existed or not.
you no longer have to learn all that, there are plenty of frameworks and specs to combine into much greater complexity with great P deniability. OAUTH is a good place to start, add some graphQL parsing, there is plenty of similarly legit looking nosql.